Sir Peter Westmacott
[Pause] So, welcome everybody. My name is Peter Westmacott and I’ve been asked just to moderate this discussion, partly because I used to be Ambassador in Washington, partly because these two characters here are old friends of mine, so I’m thrilled to do it. And, Lisa, thank you so much for making the time to be here on your way to the Munich Security Conference and may I say also, welcome to Ambassador Jane Hartley, we’re thrilled to have you here, Ambassador, which is an indication of the importance of the subject and the importance of our visitor, who has not been here for a little while, for COVID and other reasons. So, we’re thrilled to have you all here. Thank you very much.
Couple of housekeeping points that I have to mention, please. Today’s discussion is going to be on the record and it is being livestreamed. We encourage people who are going to contribute through social media to use the #CHEvents there, as it – as written on the screen and @ChathamHouse. I will be, as I say, moderating the discussion, but also calling on people here who want to ask a question, if they would like to do so. There will be a microphone, you don’t need to stand up, just raise your hand and somebody will come and find you, and anyone who is online who’d like to ask a question, please submit it in writing and I will do my best to read out your question and to see whether it is for Paddy or for Lisa to answer. So, that’s the way we will do that.
What we’re going to do is I will just introduce briefly our two distinguished guests. Lisa will speak for eight or ten minutes or so. I might or might not exercise my privilege of being here to pick up a point or two that she has made. Paddy McGuinness will then speak and then, we’ll have a bit of a orchestrated discussion between us, before we throw it open to the floor. Everything to be finished in 60 minutes, sharp. So, we’ll see how we get on.
Now, we’re here today to talk about Disruptive Technologies by Nation States and Malign Cyber Actors and by extension, how the UK and US Governments are dealing with them. Disruptive technologies cover a multitude of sins. Chip manufacture, artificial intelligence, algorithms, abuse of facial recognition software, the exploitation of restricted technologies, attacks on our critical infrastructure, phone hacking, social media manipulation, data theft and much else, including the odd spy balloon flying high in the space.
So, we’ve got lots to talk about and a couple of real experts and I’m thrilled, really thrilled, that Lisa is here with. We’ve dealt with each other in Washington and elsewhere over a number of years and she’s a dear friend and we’re very pleased that she’s here. For those of you who don’t know all about her distinguished career, I’m going to embarrass her by running through a little tiny bit of who Lisa Monaco really is. Deputy Attorney General of the United States, the 39th of that ilk and as such, she is the number two person in the Department of Justice and essentially does all the overall supervision of the DOJ. She advises and assists the Attorney General in formulating and implementing the department’s policies and programme. She’s been with the Department of Justice for many years. She was a career Federal Prosecutor and has been in a number of leadership positions across the department. Used to work for Janet Reno who was the Attorney General when I was first in Washington during the Clinton Administration and I remember spending a lot of time with Janet and I think we were probably in the same room there and then.
So, it goes back a long way. She’s had a number of leadership roles. She was Chief of Staff at the FBI and then when we saw a lot of each other was when Lisa became, I’ve got to get the terminology right, Homeland Security and Counterterrorism Advisor to the President when President Obama was in the White House, and I had the privilege of being our Ambassador there. So, we did a lot of things together at that time and during that period when Paddy was our Deputy National Security Advisor some of the time, but he was also doing another role in government, he too had the privilege of working closely with Lisa on a number of these security issues. A wide range, including responses to international domestic terrorism threats, cyber, natural disasters, and all aspects of US Government’s policy on counterterrorism and counterterrorism strategy. Lisa was born and raised in Massachusetts, surprise, surprise, a graduate of Harvard University and of the University of Chicago Law School.
Paddy, the gentleman the other side of Lisa there is now Senior Adviser at the Brunswick Group and former UK Deputy National Security Advisor. These days, he advises businesses and governments around the world on data and cyber issues, business resilience and geopolitical and regulatory risk. He sits on the Advisory Committee of the UK’s Reinsurance Pool for Terrorism Risk and he advises the UK Parliament’s Joint Committee on the National Security Strategy. In 2014-18 he was the UK’s Deputy National Security Advisor for Intelligence, Security and Resilience and that included dealing with risk and reactions to risk on all aspects of hazard, threat, national crisis response co-ordination, cyber-strategy, counterterrorism and so on. These days, he is also advising some private equity funds and another number of technology and other start-ups. So, he’s a busy boy as well. Paddy, we’re thrilled that you are here, but enough of me, Lisa, over to you and we are looking forward with enormous interest hearing your remarks. Thank you.
Lisa Monaco
[Pause] Thank you so much, Peter, and good afternoon, everyone. I really want to say thank you to Chatham House for having me here today and thank you very much to all of you in the room for that very warm welcome. I also want to acknowledge our terrific Ambassador, Jane Hartley, who is here today. It is – she is a long time friend and is a tremendous Ambassador for our government here in the UK to steward our special relationship and so, I really appreciate her being here. I think it says something about the wisdom of our respective governments that the UK and His Majesty’s Government has also sent another fabulous woman to be the UK’s Ambassador in the United States. I am, of course, speaking of Dame Karen Pierce who we are very fortunate to work with in Washington, so great to have you here, Jane.
It is great to share a stage with Sir Peter and with Paddy, who are, themselves, two great UK leaders in national security and foreign policy and as Peter mentioned, also dear friends and former colleagues when I served as President Obama’s Homeland Security and Counterterrorism Advisor. In those days, our work, as Peter noted, focused on counterterrorism and on cyberthreats and new challenges in both of those arenas. Today, though, those challenges are very much still with us and still present, but today the US and the UK and our allies stand together against new threats. Threats posed by, and threats from, autocracies projecting power at home and abroad, threats from adversaries challenging norms from launching spy balloons, to unleashing the most significant land invasion in Europe since the Second World War. And of course, threats from nation states, rogue nations seeking to undermine democracy and the rule of law.
Now, we see this aggression playing out not only on battlefields, but in economic zones and information spaces, in cyberattacks and the vacuuming up of sensitive data and the exploitation of restricted technologies. We also are seeing some countries threatening our national security through foreign investment, investment designed to access sensitive data and key technologies. Today, autocrats seek tactical advantage through the acquisition, use and abuse of disruptive technology, innovations that are fuelling the next generation of military and national security capabilities. They, of course, want to acquire that technology by any means possible, not only to fuel surveillance and repression at home and aboard, but to gain strategic dominance.
The US and the UK and our allies confront these national security challenges daily and in the United States, the Department of Justice is at the centre of our efforts, working with our allies to combat these threats. As the lead law enforcement and domestic counterintelligence agency in the United States, the Justice Department is uniquely positioned, with our dual national security and law enforcement authorities and missions, to respond to this threat landscape, and that is exactly what we are doing. Our Prosecutors, our Agents and Analysts use law enforcement tools, often in novel ways, to counter national security threats and we use our intelligence tools to provide policymakers the vital information they need to shape how we respond. We are disrupting cyberattacks, enforcing sweeping sanctions, analysing foreign investments in US businesses to detect and to deter bad actors, all to protect American technology and knowhow from being exploited by our adversaries.
First, when it comes to cyberspace, we see nation states often acting in concert with criminal groups in a new, blended double threat, engaging in more sophisticated and brazen and dangerous attacks. They are threatening the core public institutions, like our hospitals and our schools, with ransomware attacks, and they routinely probing our critical infrastructure for vulnerabilities. They use cyber-armies and proxies, hackers for hire, and organised criminal networks in ways that flout international norms and risk our collective security.
As we’ve done before against terrorism, we are working with our allies and our partners to combat cyberthreats by innovating and using new tools to turn the tables on the hackers. Last year, for instance, working with our partners in the UK in something called Operation Cyclops Blink, we disrupted a global botnet, a botnet that was controlled by the GRU, the Russian Military Intelligence Agency. We disabled Russia’s control over these devices before, and I emphasise before, they could be deployed in an attack, an attack against Ukraine, against us or our allies. Our work, collectively with our partners, protected innocent victims in the United States, in the UK, indeed, around the world.
Now, this leads me to the second threat that we face, the weaponization of data. Personal data is, of course, the fuel for our adversaries, both surveillance and intelligence states. Whether it’s through traditional or corporate espionage, our adversaries are targeting troves and troves of data. As our intelligence community has noted, China leads the world in using surveillance and censorship to keep tabs on its population, to repress dissent and to counter perceived threats abroad. And the Chinese Government is not just hacking together our data.
China’s doctrine of civil military fusion means that any advance by a Chinese company with a military application must be shared with the state, and its national security law requires any company doing business in China to make its data accessible to the government. So, if a company is operating in China and it is collecting your data, it’s a good bet that the Chinese Government is accessing it. Now, the weapon – the ability, rather, of – to weaponize data will only advance over time as artificial intelligence and algorithms enable the use of large data sets in new and sophisticated and increasingly sophisticated ways. The data obtained today could be used in new and very frightening ways tomorrow.
Now, this brings me to the third piece of the threat landscape, the national security threats posed by the use and abuse of disruptive technologies by autocratic governments. No matter what means they employ, whether it’s cybertheft or sanctions evasion or exploiting foreign investment, we must guard our technologies from adversaries who would use them against us. The Department of Justice is using all of its tools, all of its authorities, to combat this threat, fighting cybercrime, combatting sanctions evasion and most recently, updating our regulatory tools to ensure we protect against foreign investments that threaten our national security.
Now for decades, the United States has screened foreign investment in US companies for potential national security risks. Through the Committee on Foreign Investment in the United States, known by its acronym, CFIUS, the Justice Department helps prevent foreign threat actors from exploiting those investment to acquire US assets and technology, while supporting the benefits that flow from open investment. But CFIUS began nearly 50 years ago in an era of brick-and-mortar transactions. But today, the greatest risk comes not only from investment in our physical assets, but from transactions where datasets, software and algorithms are the assets. That’s why we’ve sharpened the focus of CFIUS on transactions that pose a threat to data security, to cybersecurity and the resilience of our critical supply chains. President Biden has directed now that CFIUS consider if foreign investments in a particular industry, made over time, threaten national security or our own technological leadership.
But I think we also need to consider that risks from foreign investment run in both directions. We must also pay attention to how our adversaries can use private investments in their companies to develop the most sensitive technologies to fuel their drive for military and national security edge. So, we are exploring how to monitor the flow of private capital in critical sectors and ensure that our own outbound investment in dual use technologies doesn’t provide our adversaries with a national security advantage. Close collaboration with the UK will be crucial to getting this right.
Now, beyond foreign investment screening, we’re also employing other tools to control the exports of critical technologies. Last fall, President Biden signed the CHIPS Act to ensure US leadership in global chip production. The Act invests in critical chip research and manufacturing and restricts the transfer to adversary nations where those transfers pose a national security risk. At the same time, our Commerce Department has imposed new export controls on advance computing and semiconductor components, cracking down on the PRC’s ability to acquire certain client chips. Justice Department Prosecutors will be vigorously enforcing these new rules, as well as those that control other sensitive technologies.
And that’s why today, I’m excited to announce the launch of a new initiative, the Disruptive Technology Strike Force. A collaboration of US law enforcement, led by the Justice and Commerce Departments, this strike force brings together our top experts to attack tomorrow’s national security threats today. We will use intelligence and data analytics to target illicit actors, we will enhance our public and private partnerships to harden our supply chains and we will identify early warning of threats to our critical assets, like semiconductors. Our goal is simple but it’s essential, to strike back against adversaries trying to syphon off our best technologies.
The Department of Justice is deploying all its tools to respond to nation states who would exploit technology to undermine our alliances, our national security and the rule of law. But our most critical tool in this effort is one we don’t share or compete with our adversaries for, it’s the power of our partnerships, particularly the one we have shared with the UK for so long. Thank you so much for having me and I look forward to the discussion.
Sir Peter Westmacott
Lisa, thanks so much. I think the announcement of the new Disruptive Technology Strike Force, and I like the word ‘strike’, suggests there’s an initiative being taken there. It’s going to guarantee a certain amount of publicity and headlines in advance of your trip to Munich. I’ve got a couple of other questions I’d love to ask you, but before doing that, I’m going to ask Paddy if he would like to add to the debate and set the scene a little bit from the UK perspective.
Paddy McGuinness CMG OBE
Certainly, thanks Peter and Lisa. Wonderful to see you and wonderful to be here with all of you. I’d like to start, first of all, by embarrassing Lisa. So, I’d like to embarrass her this way. So, it’s clear to me, in a way that it probably won’t be clear to any of you, as the person who used to sit first for David Cameron, then Theresa May, looking at the hazards and threats affecting the United Kingdom, what David Cameron used to joke as, “Ah, here’s the deep state,” when I strolled into the room. It was clear to me every day that the work that Lisa has done, and does now, and the agencies and organisation that she represents, that British citizens individually are safer every day as a result of their work and the real nature of that co-operation’s not apparent to most people and that’s true operationally, but it’s also true in the formation of policy and thinking how we innovate against dynamic threats and difficulties. And critically, innovating in a way that is lawful and proportionate, which is a characteristic of Lisa’s work, so I’m really pleased to have you here.
But if – I’d made just quick – four quick points as regards the United Kingdom. So, the first one is another thing that’s very striking to me is that the things that Lisa and I were working on that were deeply secret in 2014, when we first started work together, are now profoundly public. We were worried about whether undersea cables were secure. Then we were worried about what was happening the telephony infrastructure on switches and routers. We were worried about how satellite downlinks could be interfered with. Of course, we were worried about cyber, that was public and we were worried about if you can interfere with satellite downlinks, what can you do to GPS and what do you do when you have critical national infrastructure that’s dependent, not just on positioning, but critically on timing, as a great deal of national infrastructure is? And that was all, you know, on funny coloured paper and special folders, all that sort of thing.
Now it’s part of the discourse, not least because we can see it manifest in the electronic warfare campaign that Russia is mounting, or has tried to mount in Ukraine, so that’s cyber and the use of disruptive technology writ large, not just, can they interfere with my desktop, or my server, or my routers? So – and it isn’t as if we’ve come to the end of revelation about technology. So, there’s something dynamic in the way that secret things, things that are only now, you know, perceived, become public and become part of the public discourse and need to be dealt with and we need a policy response.
Secondly, second dynamic factor, my word, there’s a lot of work, yes, in the United Kingdom, yes, in the United States, as we just heard from Lisa, but also the European Union and elsewhere and in – certainly in China, to respond in terms of legislation, regulation and practice to these changes in technology. And one just thinks about the body of business that’s going through the British Parliament just at the moment. We’ve got the National Security Investment Act which is bedding in, we’ve got the National Security Bill coming through. Of course, the Online Safety Bill has implications in the area that Lisa’s talking about, etc., etc., etc., and we have a restructuring of government. So, there’s a real dynamic aspect to the way in which Government’s trying to catch up.
I would note, still, most of our discourse, though, is about technologies that – or about use of technologies that it’s already manifest. It’s about 5G and the difficulties we’ve had. We’re still talking about that with each other. It’s about social media sites which have already got penetration in our societies to a profound degree. So, that’s to my mind, something very exciting about what Lisa’s saying in terms of the strike force, because the thing I most wanted when I was in government was to know what the emerging technology risk was, not just what the squashing toad of an existing problem was that I had to deal with, it just hadn’t become public yet. Actually wanted to try and get ahead of it and it sounds like there’s some potential there.
Now I work with businesses, mainly listed companies, I do it globally. The third dynamism I see is the dynamism of obligations upon leaderships in companies, yeah, and there are pieces of legislation. One thinks of the blessed GDPR, but there are others too where they have to maintain resilience, where they have to have a mechanism for understanding the risk that there is in their practices, yeah. And the kind of discussions that we’re having, the points that we’re making, the points that Lisa hinted at there, which go into great deal about what hostile states and other malign actors are doing on, effectively, private sector networks, creates an obligation under existing regulation legislation and as this dynamic change to regulation legislation more and more and so, this becomes something that boards, that business leaders, have to deal with and need help dealing with and need a partner. I’m sure we’ll talk about the wonderful work the Department of Justice does and the FBI does to engage with business. There is a challenge and I know in the UK, we’re thinking about that at the moment, not at least in the implementation of the National Security Investment Act.
And then, my final thought, I talked about Lisa being proportionate. There is a real risk, as those who’ve got an understanding of the emerging technologies and how we need to deal with them and their exploitation by hostile states, there’s a real risk that this turns into a broader discussion about the hostile state and we run the risk economically of throwing out, not just the baby with the bathwater, I’d argue the bath itself, yeah. And so, there’s something profound to my mind in bringing together those who truly understand the errors of technology and the problems they represent on public or private sector networks or in any domain and countering them specifically, because it is in specificity and nuance that we’re going to be able to avoid significant economic disruption, as we do the necessary work of national security. And that’s a key element of the proportionate response we should be looking for on the leadership we’re getting from the Department of Justice, in my view.
Sir Peter Westmacott
Paddy, thank you. Very striking listening to both of you just how much has changed, how much the challenge has evolved since the first years when we were working together on a number of these issues, much of it in the dark. And I’m struck, also, by the way in which making public a lot of the things that we used to feel we could not make public has been an extraordinarily important instrument in our foreign and security policy. Look at the way in which we managed to call out what Putin was doing in Ukraine and win, frankly, the narrative very quickly and show his lies to be barefaced lies from the outset and not be as scared as we used to be about compromising sources so that we knew – so that we showed where we got our information from. We’ve evolved, we’ve moved on and I think it’s very dramatic and it’s a useful, additional element to our defences and so much more of what you guys are dealing with now is in the public domain and that means that people are more aware of the risks and it means also that the bad guys are a little bit more on the back foot.
One little comment, Lisa, you mentioned the way in which we worked together, and you talked about the wonderfully named Operation Cyclops Blink. I wonder who came up with that. In the context of the new strike force that you have just described, do you think you can give us a little bit more of an idea of how you see United States working with close partners, such as the United Kingdom, to make it work?
Lisa Monaco
Absolutely. First, let me say thank you to may friend Paddy for those wonderful comments. I also find it interesting that both of the leaders that we worked for respectively had nicknames for their Homeland Security and Counterterrorism Advisors. I was interested to find out yours, I just learned that. Mine was “Dr Doom,” from President Obama because my portfolio, as Peter talked about, was everything from natural disasters to terrorism to cyber, so when I darkened the door that’s what he called me so you got – you and I can compete for good nicknames.
Paddy McGuinness CMG OBE
Yours was worse.
Lisa Monaco
Yes. So, to respond to your question, Peter. First, I think, you know, the strike force I talked about, I think is perfectly in line with our long history of partnership, whether it’s intelligence and national security work, whether it’s law enforcement co-operation, you know. I think about what we’re able to do on the cyber front, as was mentioned with Operation Cyclops Blink. As I think about what our countries have done working with our allies to push back against Russia’s unprovoked and brutal aggression in Ukraine through the work we’ve done co-operatively and collectively to impose, first, sweeping sanctions, really on an unprecedented scale and then, to enforce them. To make sure that they have real bite and to ensure that it has an impact, yes, on limiting Russia’s access to the global financial system, but very importantly, to also hinder Russia’s capability to build up and fuel its war machine. That is only accomplished by our collective work together to spot that sanctions evasion and go after it.
So, in this instance, with the strike force, what I envision us doing is pooling our experts in the United States, our work, our Prosecutors nationwide, our experts on the technology that it is at risk and working with both the intelligence and national security and law enforcement communities across United States and yes, with our partners. What are the insights that we can glean and use together to target those export supply chains that may be misused and abused to fuel that, the abuse by autocratic governments of this disruptive technology? So, I think see it completely in line as we have benefited from those relationships for so many years, whether the threat is the evolving terrorism threat, whether it’s the evolving cyberthreat, and now today, the very real and present threat posed by governments that seek to leverage technology and innovation in a way to repress their populations and to fuel their military advantage to our collective national security risk.
Sir Peter Westmacott
Thank you very much. Can I ask you, also, a little question about whether there’s more we can do to increase our collective resilience? People are asking, “Does end-to-end encryption make us safer or less safe?” and there is a debate going on in many of our capitals about that. And should we be banning completely access to our markets, to our societies, of some of those commercial entities like TikTok? And the Chairman of the Foreign Relations Committee here recently told a television anchor while I happened to be watching it, you know, “You absolutely got to scrap, get rid of your app for TikTok on your telephone because it isn’t secure and a risk to your personal welfare.” We’ve already done some of those things with Huawei, but what about that, should we be going further in the direction of no longer having anything to do with the firms which we believe might be Trojan Horses?
Lisa Monaco
Well, okay, a lot to unpack there. I’ll be interested to hear Paddy’s response to some of this, as well. First, on – I get this question a lot, on end-to-end encryption, “Has it made us safer or less safe?” I wholeheartedly reject the premise of that – of the way that’s postured. First, there is no doubt of the benefits that we individually, collectively in our nations, gain from end-to-end encryption, full stop. It is vitally important to privacy, to safety, to cybersecurity. But I also think we have to recognise that encryption is being used, to my mind, as both a sword and a shield. It’s being used as a terrific shield, as I indicated, to protect our cybersecurity, our privacy etc., but it’s also being used by – as a sword by nefarious actors, by illicit actors, to conceal whether it’s terrorism plotting, whether it’s the horrific, you know, distribution of online images that brutalise and manipulate and abuse young children in a host of different ways.
So, I think that we really do need to get out of this false dichotomy about whether it’s an either/or proposition. I think we, as the United States, as the United Kingdom and other rights respecting nations are not – should not be in a position, and I don’t think that we are, to, basically, say it’s an either/or. We can both protect human rights and public safety and achieve great benefits for the freedom of expression etc., that all derives from the use of encryption. But I know – I’m sure Paddy’s got some – and I’ll respond to your TikTok comment in a minute, but Paddy may have a thought on the encryption issue.
Paddy McGuinness CMG OBE
Yeah, I’d like to try to level, something I fundamentally agree with you and I do see end-to-end – or encryption as, essentially, neutral and exploitable by bad guys as well as good guys, and we can give specific examples. I just go back to my point about dynamism and the dynamism of the obligation being placed upon business. So, many businesses now say, you know, “Are our network’s fully encrypted? And if not, let’s make them fully encrypted,” and they do their work, then, to do that, their internal networks and they get as much of it encrypted as possible. And the difficulty for them is that’s great if the monitoring of that traffic and the implementation of the encryption is done well. If it isn’t done well, you find that there’s traffic you thought was encrypted that actually, the certificate’s out of date, or isn’t quite right, or it isn’t fully encrypted and actually, therefore, you can scribe data from it, from the dataflow. Or you find that you don’t monitor it in your – through the operational centre and it’s being used by adversaries. I mean, that was one of the things that happened in Colonial Pipeline, it happened in other attacks, too.
So, encryption is really quite complex and as a business leader, trying to run a business doing something which isn’t an encryption company, it’s delivering something else, is really tricky ‘cause you think, I’ve done a thing that’s made me more secure, but actually what you’ve done is, you’ve created a new set of tasks in order to monitor whether or not you’re secure. And every time we engage with businesses in – what we’re doing is adding to the weight of what they have to do to maintain their security. So, being very clear about what these security tools we introduce are, how we monitor them, what the regulatory obligation is, really important.
I note, and Lisa probably can expand a little better, maybe not here if you don’t want, I should think ‘cause it probably won’t interest the audience that much, I note that the USG, the US Government, has recently required all public bodies to do a review of their cryptology, effectively, of the cryptological holdings and practices because of what I’ve just described. So, this is a complex area and it’s not just a good, if we encrypt end-to-end, everything will be splendid. No, it’s more complex than that, more nuanced.
Lisa Monaco
Right, I think that’s exactly right, and look, our leaders have said quite clearly, and I think that’s exactly right, you know, “Tightly controlled lawful access is vital, absolutely vital, absolutely vital to national security, to public safety,” for all the reasons, I think, that Paddy mentioned.
On your TikTok question, obviously I won’t talk directly about the review that is ongoing in the United States, but I will say this. It – I spoke in my remarks about the perils of Chinese companies being subject to Chinese national security laws and other – and American companies. Any company doing business in China for that matter is subject to China’s national security law, which requires turning over data to the state and there is a, you know, there’s a reason we need to be very concerned, and I think the Foreign Secretary’s comment you mentioned is well taken.
I will note I don’t use TikTok and I would not advise anybody to do so because of these concerns and look, the bottom line is, China has been quite clear that they are trying to, you know, mould and, you know, put forward the use and norms around technologies that advance their privilege and their interests, those interests that are not consistent with our own. Their interests which are fuelled by, and directed toward, an authoritarian approach to their government and that is not consistent with ours.
Sir Peter Westmacott
Thank you, Lisa. One last question from me, if I may, before we throw it open to the floor and to others. You’ve talked in your remarks about placing controls on exports of critical technologies and you’ve talked about the CHIPS Act and some of the other measures that the United States has taken in this domain. The question really, is there a risk that limiting or barring other states access to our technologies encourages them to develop their own and then, that we have no oversight at all over that technology, and that they start operating in ways which are even harder for us to manage than if they are using technologies that we’ve produced?
And a sort of, second part of the question, is there a risk of damaging the, kind of, rules-based WTO trading order by placing these unilateral restrictions, if you like, on trade with other countries in a way that threatens our overall prosperity? I noticed this morning that US-China trade has gone up to $700 billion last year. It’s significant in terms of the growth agenda.
Lisa Monaco
So, look, I think you raise some very, very important points, all of which have to be considered as we embark on and navigate this space. I think what it means is, we have to be incredibly thoughtful about how we go about this. To your first point, though, you know, the point I spoke about when we talked about our concerns about foreign investment, I think the risk that you pose is real, but I would also push back to say the acquisitions that we’re concerned about are the acquisition of our technology to fuel the creation of their technology that is creating a military and intelligence and national security edge. And so, it’s not the concern that we’re going to create really duelling silos, but really these are resource – they’re stealing it or acquiring it through nefarious ends. They’re not using their own, you know, resources to develop it, and so, that is probably not good for our collective competition.
We do, though, have to be quite thoughtful on how we’re doing it, whether it’s about inbound investment or outbound investment, which means conversations with like-minded nations, bit like between the US and UK, is critically important to getting it right, it means circumscribing. For instance, when I’m talking about controlling and monitoring and being mindful about the dangers about outbound investment. It has got to be focused, I think, on private capital in very specific industries and sectors, things like semiconductors, things like quantum computing, but not broadly – you know, not applying a broad brush to this approach.
Sir Peter Westmacott
Paddy, did you want to chip in?
Paddy McGuinness CMG OBE
One question for me, and so Lisa, your framing of that, deep not broad, how do governments communicate with business so that they understand what is required and you don’t have broad deadening effect? I know it’s something we’re wrestling with here in the UK at the moment with implementation to the National Security Investment Act, but we don’t want to have broad suppressive effect on inward investment, but there is some very specific areas. But until, you know, we have the maturity, perhaps of CFIUS, it’s hard to communicate that depth as opposed to that breadth. What’s the best way of going about that, what would your advice be to the British Government?
Lisa Monaco
Simply put, I’d say by doing it, right? I think you’ve got to be communicating and we need to do it more and better with our private sector. I think, as you know better now, because you’re – you know better than I now, because you’re out of government, but fundamentally, I think businesses want certainty, they want clarity, right? So, the more we can communicate the things we are concerned about, the why, and how we are going about thinking about that, kind of, you know, small yard, tallfence approach, I think the better off we’ll be.
Paddy McGuinness CMG OBE
Can I make a just quick observation? When I look at the American system, I look at people like Lisa, I could name people who are now in the National Security Council and elsewhere in government who are developing these policies, all of them have been out in business or legal practice, in a way, dealing with technology, cyber and data issues in a way that we don’t tend to have that advantage in the UK. We don’t have a leadership who are doing the security work who have actually been exposed to the realties of business and the realities of what it is like to be in a boardroom with a fiduciary duty.
Sir Peter Westmacott
Okay, it’s very different.
Paddy McGuinness CMG OBE
You and I end up with doing that after we’ve done the government service.
Sir Peter Westmacott
Yeah, we – that’s right, aren’t we? Okay, can I look around the room and see who would like to ask a question? Oh look, one here, front row.
Member
Paddy, Lisa, thank you very much. You spoke about the ‘dynamism’ of companies and in my experience, I’ve seen some ambivalence around regulatory powers and what happens within businesses. When you consider the backdrop of threats, whether that be botnets from GRU or the MSS infiltrating supply chains of major commercial airlines, it’s clear that technology isn’t the only way to combat the threat. What is the plan to engender a culture of better cyber behaviours at the organisational and individual levels to create stronger resilience?
Lisa Monaco
So, first, what I am trying to do and what we are trying to do in the Justice Department, is send a message, most importantly to businesses, the businesses that, let’s face it, in our country, own, operate, control the – you know, 80 to 90% of the critical infrastructure networks in my country, right? Which means that we in the government are really incredibly dependant and reliant on information that we get from, and reporting, that we can get from the victims of these cyberattacks.
So, that’s why when we were able to use a traditional law enforcement and legal tool, a forfeiture warrant, which was, you know, incredibly boring if you think about it, but it was used in an incredibly new and innovative way in the wake of the Colonial Pipeline attack, we used that legal tool, we in the Justice Department and the FBI, to do a very traditional thing when you’re talking about – to somebody in law enforcement, we followed the money, right. We followed the ransom payment that was made by Colonial, and got it back, right? We got it back and were able to get back a bunch of that ransom payment and return it to the victim. And so, that’s why you saw me get up in a press conference and do something we don’t normally do. We talked about the victim coming forward and helping us and how vitally important that is to our ability to help the next victim and frankly, prevent the next victim after that.
So, my message to business is, whenever I can make it is, we are all in this together when it comes to, particularly the cyberthreat. And we need that co-operation, we need that reporting. You know, we worked again with our international partners just a few weeks ago to take down a – the Hive ransomware actors, to the tune of – you know, being able to arrest and prevent rather, over $130 million in ransomware payments. That was thanks to co-operation and great sleuthing by the FBI and the Justice Department to literally lie in wait in what I call the “21st Century cyber stakeout.” We were able to watch and sit in that network for months, get those decryptor keys and hand them out to the victims so that they wouldn’t have their systems locked out. We were only able to do that because of the reporting that we got from the victims but only 20% of the victims actually reported. Think of what more we could’ve done with even more co-operation.
So, fundamentally, our orientation has changed. We don’t want to revictimize the victim, as the Justice Department. We want folks to come forward and work with us and we want to be focused and our front foot when it comes to preventing. We’re always going to want to make sure we can lock up the bad guys, don’t get me wrong, but we also need to focus, first and foremost within the cyberthreat, on the prevention piece.
Sir Peter Westmacott
Thank you, Lisa, come back to you in a moment. Yes, the lady over there with her hand up.
Joyce Hakmeh
Thank you very much, my name is Joyce Hakmeh. I’m from Chatham House. You spoke earlier, Deputy Attorney General, about the connection between criminals and nation state actors. And my question is in relation to this story that broke yesterday in the news about this Israeli company that has been, basically, offering this information as a service and, therefore, intervening in elections around the world. So, the strike force that you talked about is focused on adversaries or threats coming from adversary nations and I wonder whether this strike force will also cover threats that are emanating from an ally country and if not, how will the US continue to deal with these threats? Thank you.
Lisa Monaco
Thanks for the question. I’m not going to respond to the specific issue you reference, I haven’t seen that article, but I would just say broadly, yes, we are focused first and foremost on the use and abuse of these technologies by our adversaries, because we don’t have the level of trust because we know the use that they are putting those technologies to and we don’t have that level of transparency and shared values, as we do with the UK and generations of security co-operation and shared values. So, yes, that’s our priority, and because our first job in the Justice Department is to enforce the law and we have very specific export restrictions on that technology to specific countries, for very good intelligence and evidence-based reasons.
Sir Peter Westmacott
Gentleman in the white top, here. If you can bring the mic over.
Euan Grant
Thank you all very much. Euan Grant, I’m a former Law Enforcement Intelligence Analyst in the UK. I had responsibility for transnational organised crime in the ex-Soviet states. I’ve subsequently worked in EU missions, particularly in Ukraine, where many of the male national staff were ex-Soviet military and several were quite explicitly former GRU, if indeed former.
My question is about academia, and I think this is perhaps more a problem in the UK and particularly Europe, less so in the US. Is academia, both in STEM work and non-STEM, really engaged in working with you all on this? Because I’ve had the impression that large parts of academia can be a bit egotistical, and they see themselves above this and worked too closely with Russia and China for too long. I accept that’s a generalisation, but where do you see that from the UK-US and to a certain extent, European situation? Thank you.
Lisa Monaco
Paddy, on the UK front?
Paddy McGuinness CMG OBE
Sure. Well, a great American colleague, Keith Alexander, who was Head of the National Security Agency in the US for 12 years, has a great line which he uses, which he says – which brings me from having to break the Official Secrets Act, which is where he says, “At NSA, if we wanted to get into somewhere, we keep trying and we get in,” yeah? And he’s talking about all varieties of target networks.
So, if we start with the premise that we’re going to somehow make academic networks as secure as the nuclear firing chain, you know, there isn’t going to be academia, it’s not going to happen. So, I – rather than, in a sense blaming the culture in academia, I’d say there is a fundamental issue and that’s recognised, I think, in British strategy and response, and it’s a constant process and it is palpable, including, incidentally in the private sector, that we’re getting drawn more and more into supporting universities – colleges and universities and raising their cyber standards to make them – make it more difficult to get in, particularly around the most valuable assets that they have.
I would note there’s a very big distinction. I live near Oxford; I look at what is developed near – around near Oxford. Once we have something that is of significant commercial value it’s noticeable that your cyber standards change very markedly, very quickly. And so, I think it’s a mistake just to run academia together, but you can see it’s a priority area. You can see it needs a constant support and it absolutely is in the frontline of what Lisa is talking about and with the strike force.
Lisa Monaco
Well, I can certainly agree with that and I also think, you know, in general, what we try to do in the United States is have more transparency around the research dollars that are coming into our universities, that are – particularly those engaged in the hard sciences that maybe they’re targets of our adversaries, particularly those research institutions that take federal money and benefit from federal money. So, I think it’s about transparency. I think it’s also about having important trusted dialogue between the law enforcement and national security community within the United States and academia. That is – you know, that’s easier said than done, ‘cause for many good reasons, you know, there – I think there is a zone of care that is taken in those conversations, but it’s very important for us to have them and to work at them and to work to improve them.
Sir Peter Westmacott
Lisa, quick question from online audience, “What is the level of threat currently posed by cryptocurrency transactions?”
Lisa Monaco
Hmmm hmm. Well look, what I think we’re seeing is illicit actors using crypto in ways that I think has – is exploded, quite frankly. Whether it’s the ransomware payments that I mentioned recently with regard to Colonial Pipeline attack and others, and myriad other cyberattacks, whether it’s to hide sanctions evasion and to facilitate sanctions evasion to just do and fuel money laundering by a host of illicit actors. So, what we’re doing in the United States – so, the answer is the threat is going up, but it is, I think, owing to the desire of illicit actors to find any way and they’ll exploit new technologies to do that, to conceal their efforts. But what we’re trying to do is go after the whole ecosystem right?
So, yes, the illicit actors that are using crypto and other means to hide their efforts, but also, we need to ensure that the exchanges that are hosting these and facilitating these payments, are good actors in this system, need – and they should be employing the, kind of, know your customer rules that financial institutions have for years and that have benefited our collective efforts when it comes to the terrorism threat and when it comes to the cyber threat. That’s why you saw just a couple of weeks ago, us again, working with our international partners, this is a theme here folks, that we don’t do anything in isolation, to take down and disrupt the use of the Bitzlato Cryptocurrency Exchange notorious for fuelling millions and millions of dollars in illicit exchanges, from drug trafficking to money laundering. So, we’ve got to get at the entire ecosystem used by illicit actors to fuel their efforts, to include the use of crypto.
Sir Peter Westmacott
Do you want to add anything?
Paddy McGuinness CMG OBE
I’d just like to ping back on that, but also what Lisa was saying about the technical endeavour that there’s been out of the FBI and other bodies in the US in pursuit of malign actors online, and I think we’re just waiting for a refresh on our integrated review. I think there’s a really interesting question, given what we face in the world, about whether in the United Kingdom we are resourcing and approaching this in a way that’s comparable with that in the United States and whether or not we’ve got the technical ability distributed across government and law enforcement in the way that they have in the US and what we can learn from that. Because I – we should all be clear, we’re on the upslope of this, I mean, we’re on the upslope of ransomware, ransom payments, and abuse of cryptocurrency. There’s no sense in which we’re on the downslope and got it under control. You know, I’m afraid to say, on cyber crisis, I make a healthy living supporting people who get themselves, in one way or another, into difficulty. So, you know, there’s work to do here, to have a national technical capability to work alongside the United States, in crime as much as in national security.
Sir Peter Westmacott
So, another quick question, Paddy, perhaps for you, from the online audience. Bearing in mind what you just said, “Is there a role for the United Nations or Bretton Woods organisations in setting international rules and standards around the limits of artificial intelligence, the use of information and the way in which individuals’ human rights are in jeopardy, as things stand? Do we need more of an international rules-based framework to deal with these issues?”
Paddy McGuinness CMG OBE
I think we need transparency and to be transparent about, you know, what is being done, which algorithm is doing what, how artificial intelligence is working. At least when I had the joy of trying to deal with Chinese actors in British and American networks and negotiate UK or US-China cyber agreements, and indeed, try to operate within the frame – within the government group of experts under the UN around cyber, and can I say, this was slow going. So, I’m slightly sceptical that going that route would actually result in a real practical effect, given the way in which this is dynamic and growing, so we do need something different.
On the other hand, I do think a growing understanding, a growing independent view of what is happening in the information environment, is needed and I’m afraid to say I think it needs to be mutual, because at the moment, it is our view of what’s happening in the information environment. There’s a whole category of actor who we don’t catch with that and likewise, we wouldn’t want the information environment simply to be seen by our adversaries. We generally need an objective view on what is happening in our information environment.
Sir Peter Westmacott
Thank you. More questions from the floor. Let me take one from over this side. Yes?
Member
…national. I am wondering whether – what the threshold is, essentially, for the FBI and authorities to become interested in cyberattacks, given that we know there have been individuals targeted, citizens of the United States. And on top of that, are we, kind of, turning a blind eye or extending more flexibility to allied countries who aren’t as concerning as, say, Russia and China, our friends in the Middle East, or other authoritarian countries who are using private organisations, private companies, to hack into individuals, to hack into our infrastructure, but also investing into our utility companies and the private sector, as well? So, I’m wondering, while there’s all this focus on Russia and China, are we ignoring, or not paying enough attention to, other avenues of hacking, cyberattacks and other violations of human rights and extensions of that?
Lisa Monaco
Well, I think I would start by saying in – partially in response to the question from over here, you know, we have different frameworks that we can use and we are putting to work, as I mentioned before, our export control, for instance, framework, to address the abuse by nation states and adversary nations. I think we do have to be concerned about where this technology is going and the use it can be put to in the commercial space and having the right and having both transparency and legal frameworks around that. Certainly, it’s something that we are looking very closely at and are quite mindful when it comes to the governments’ use, for instance of commercial data, right, whether it’s in purchasing or using commercial data.
It’s something we’re having a very robust conversation about over in the United States when it comes to, how should the US Government be benefiting from using and ingesting, in some instances, commercial data, to add to the tools that we have that are, kind of, behind the wall, right? I think there is a lot of importance to that conversation, but we have to make sure we’re doing it in an open, a transparent way, and certainly one that is done, from my perspective, ‘cause this is what we’re focused on in the Justice Department, it is done consistent with the rule of law. Consistent with our Constitution and the statutory framework that we operate under, which applies very specific protections particularly to US persons’ personally identifiable information.
Sir Peter Westmacott
Lisa, do you reckon we can squeeze in one more question?
Lisa Monaco
Sure, sure thing.
Sir Peter Westmacott
There were several hands up over there. The lady here.
Member
Thank you. Congratulations on the new strike force, ma’am. I wondered if you’d comment on – you focused particularly on the role of platforms and data for the strike force, from the perspective of a large global private sector network. Do you see a role for telecommunications companies? How would you like us to continue to partner and collaborate with you etc.?
Lisa Monaco
Well, thanks very much. Look, we think we will benefit greatly from that ongoing conversation that I think we have been able to have as a government. For instance, in the cyber realm, I think we can build a lot of those – that, kind of, muscle memory that we’ve developed, for instance, the financial services sector. Working with our Treasury Department and working with others across US Government, we have been able to have a conversation and have a kind of mode of operation that I think benefits both the – to take the financial services sector as an example, to benefit from the great work they’ve done to harden their, and make more resilient, their networks and to protect their networks and to help us protect them.
I think the same conversation should be happening and will be happening around this strike force when it comes to companies and industries that are implicated by the work that we’re doing. So, I think about the ways that we can identify these illicit actors who are trying to evade, whether it’s sanctions, whether it’s trying to evade our export control regime, that we will use from, for instance, our FinCEN reporting and the like, right? We can harness those existing mechanisms and build further conversations around these new restrictions, for instance, from the CHIPS Act to I think, kind of, raise all votes, if you will.
Sir Peter Westmacott
Paddy, a final word.
Paddy McGuinness CMG OBE
So, on this question of telecommunications, I think we should all be clear that the – in the jurisdictions where the cyber environment is safer, it is because the backbone providers raise the base standard of cybersecurity and manage the data going through the networks before you get to the point of law enforcement intervention. That’s not really part of our discourse about our economic interaction with those providers. So, if you look around the world at how traditional backbone providers are doing in the stock markets and more generally, they’re a bit vulnerable ‘cause they’re squeezed. But yet they are our backbone when it comes to cybersecurity and that isn’t yet present in the thinking, or sufficiently present, in my view.
Occasionally, we have interventions, as we did, I think with active – that was in – around BT and we saw, you know, the announcement, we’ll certainly call that in if that develops into anything big, but it’s rare. But there’s something for my mind about really understanding how significant this partnership is for keeping us secure and making that part of government’s interaction with that sector.
Sir Peter Westmacott
Thank you for that. I’m afraid – sorry to those I haven’t been able to call, I think we are out of time. So, Doctor Doom and Deep State, thank you both.
Paddy McGuinness CMG OBE
What was your nickname, then?
Sir Peter Westmacott
Can’t remember, or unprintable. Chatham House has been doing this sort of thing for 100 years or so and I think this was a conversation right up there with the highest standards that Chatham House has got used to. Thank you both enormously for your contributions. You’ve contributed enormously to our understanding of these new and complicated and technological challenges. Lisa, we wish you bon voyage onto Munich.
Lisa Monaco
Thanks very much.
Sir Peter Westmacott
Where you can carry on the good work in telling the rest of the world how we’ve got to work together to get this right. Thank you enormously.
Lisa Monaco
Thank you so much.
Sir Peter Westmacott
And Paddy…
